What is the Data Protection Act 2018?
A look at the UK's national data laws and how GDPR fits into the puzzle
The Data Protection Act 2018 is the UK's third generation of laws governing the collection and use of personal data. Having received royal assent on 23 May, it's designed to modernise data protection laws to account for new innovations and digital platforms that continually expand the scope of data collection.
The DPA 2018 establishes a framework for the regulation of data use in the UK and replaces the previous Data Protection Act 1998. The act covers a broad spectrum of data policies, but its primary purpose is to empower data subjects with new tools to protect their information and help them hold organisations to account.
The act also works to supplement the regulatory oversight provided by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018, by extending into areas not otherwise covered by the EU law. It's important to note that the DPA 2018 does not implement GDPR, as the latter automatically applies to the UK as an EU member state. However, the act does implement the EU Law Enforcement Directive, which provides a fundamental right to data protection whenever an individual's data is used by law enforcement agencies.
Why do we need DPA 2018 when we have GDPR?
The DPA 2018 largely mirrors GDPR, but there are some subtle differences.
Although GDPR applies to all EU member states automatically, the regulation does allow states to create their own additional provisions in order to implement it more smoothly into national laws.
In the case of the UK, most data processing will be governed by GDPR, however, some activities related to immigration issues, processing of data by FOI public authorities, and certain national security exemptions are all covered by the Data Protection Act 2018.
Such provisions have since been challenged in the courts. The DPA 2018 allows the Home Office, and other organisations involved in immigration processing, to refuse personal data access requests if they feel it could prejudice "effective immigration control". Human rights organisations such as the Open Rights Group have labelled this rule unlawful, and a case is currently making its way through the High Court.
GDPR also universally sets the age of data processing consent to 16, whereas this is set at 13 under the DPA. The DPA also allows organisations to perform automatic decision making provided safeguards are in place and there are grounds to do so, something which GDPR forbids.
Although the UK has voted to leave the EU, it's bound by any EU legislation that comes into force up until the day it leaves. Once the UK leaves the bloc, GDPR will be signed into UK law as part of the European Union (Withdrawl) Act 2018, although the date for this has been amended a number of times. At the time of writing, the act is set to come into force on 31 October 2019.
The DPA 2018 also serves as a means of ensuring the UK will be able to secure an adequacy agreement with the EU post-Brexit, which will be required to ensure the smooth flow of data from the EU to the UK. This agreement is a formal understanding that a third country's data protection laws are robust enough to provide a similar level of data protection as that provided under GDPR. Although the UK has said it will authorise the transmission of data to the EU, without an adequacy agreement the UK may find it difficult to receive data legally. While there's every indication that this will happen, the process can only start once the UK leaves the EU.
What's more, any organisation based in the UK (or anywhere else for that matter) that has customers who are European residents will be required to adhere to GDPR rules regardless of whether the UK is in or out of the EU. It makes sense, therefore, to have domestic law that largely mirrors GDPR.
For more information on the various ways in which Brexit may affect GDPR, head to our in-depth guide.
Definition of personal data under DPA 2018
Under the DPA 2018, personal data refers to any information relating to an identified or identifiable living individual that is, an individual who can be identified directly or indirectly by the data. This includes names, identification numbers, location data, online identifiers or one or more factors specific to them, such as physical, physiological, genetic, mental, economic, or cultural information, or their social identity.
Effectively, anything that could be used to identify an individual in some way is considered personal data, which includes more modern factors such as internet IP addresses.
What has changed since the DPA 1998
The DPA 2018 seeks to modernise data protection frameworks to account for a rise in the number of digital platforms and social media companies, and the widespread nature of data collection across the internet. The act brought in far greater powers for data subjects, and generally strengthened many of the provisions set out in the 1998 version.
While there is still a requirement to process data legally and fairly, organisations are now required to be far more transparent in their activities. Data collection must also only be for explicit, specific and legitimate purposes.
The conditions for lawful processing have also been refined and updated where necessary. Consent, performance of a contract, legal obligation, vital interests, public interest and legitimate interests are all legal conditions under which to process data. In the case of consent, one major change was that data subjects must give explicit consent for the processing of their data in relation to specific purposes, rather than blanket explicit consent.
How data is managed while stored has also changed, with greater requirements on businesses to not only keep data up to date, but also erase anything that is inaccurate without delay.
What data could be collected was also open for greater interpretation under the 1998 act, which allowed organisations to process data provided it wasn't deemed "excessive" to its original purpose. Now, processing is limited entirely to data deemed relevant.
Structure of the DPA 2018
The DPA 2018 enforces four distinct data protection frameworks, with each relating to a specific category of data processing.
- Within the scope of GDPR
- Outside the scope of GDPR
- By competent authorities for law enforcement purposes
- By the intelligence services
The act is also split into seven parts, each containing multiple schedules. Following an introductory section and key terms, Part 2 covers various aspects of general processing of personal data, Part 3 covers law enforcement, Part 4 relates to intelligence service processing, Part 5 covers the powers of the Information Commissioner's Office (ICO), Part 6 outlines the scope of enforcement powers, and Part 7 covers additional provisions that do not fall under the previous categories.
Special provisions are set out for law enforcement processing, including the processing of personal data by the police, prosecutors and similar criminal justice bodies. Similar provisions exist for processing by intelligence services, which aim to bring UK standards in line with international standards. The frameworks also ensure the smooth flow of data internationally for the purpose of tackling crime, while ensuring data protections are upheld.
Penalties for a breach of DPA 2018
Like GDPR, the DPA 2018 gives the ICO the power to levy far tougher fines than anything seen in the past. Under the 1998 act, the maximum possible fine was 500,000.
Under the DPA 2018, failing to report a data breach within a 72 hour period can result in a fine of 2% of a company's annual global turnover, or 10 million (9 million), whichever is highest. For the data breach itself, the maximum fine doubles to 4% or 20 million (17 million).
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now